Research on APT Attack Defense System Based on Threat Discovery

doi:10.3969/j.issn.1671-1122.2024.07.013

Abstract

Abstract:

The unknown and uncertainty of APT attacks make it difficult for traditional defense systems to quickly detect and defend, and their continuous evolution ability also makes traditional defense methods based on feature detection technology inadequate. This paper presented an APT attack and defense model based on the concept of red-blue confrontation, and summarized the steps and techniques of common network attacks based on the classification of kill chains. It also proposed a defense concept model with the core of APT threat discovery and a comprehensive security technology framework of “cloud, management, end, and ground” collaboration based on the practical experience of APT attack and defense.

Key words: cyberspace security, APT, unknown attack, red-blue confrontation, threat discovery

CLC Number:

TP309

ZHAO Xinqiang, FAN Bo, ZHANG Dongju. Research on APT Attack Defense System Based on Threat Discovery[J]. Netinfo Security, 2024, 24(7): 1122-1128.

Figures/Tables 11

References 15

[1]	DALY M K. Advanced Persistent Threat[J]. USENIX, 2009, 4(4): 2013-2016.
[2]	GUI Changni. General Situation, Typical Methods and Trend Analysis of Global Advanced Persistent Threats[J]. China Information Security, 2023(6): 85-90.
	桂畅旎. 全球高级持续性威胁总体态势、典型手法及趋势研判[J]. 中国信息安全, 2023(6):85-90.
[3]	National Computer Virus Emergency Response Center. Report on the Investigation of Northwestern Polytechnical University’s Network Attack by the US NSA(Part One)[EB/OL]. (2022-09-05)[2024-02-26]. https://www.cverc.org.cn/head/zhaiyao/news20220905-NPU.htm.
	国家计算机病毒应急处理中心. 西北工业大学遭美国NSA网络攻击事件调查报告(之一)[EB/OL]. (2022-09-05)[2024-02-26]. https://www.cverc.org.cn/head/zhaiyao/news20220905-NPU.htm.
[4]	National Computer Virus Emergency Response Center. Report on the Investigation of Northwestern Polytechnical University’s Network Attack by the US NSA(Part Two)[EB/OL]. (2022-09-27)[2024-02-26]. https://www.cverc.org.cn/head/zhaiyao/news20220927-NPU2.htm.
	国家计算机病毒应急处理中心. 西北工业大学遭美国NSA网络攻击事件调查报告(之二)[EB/OL]. (2022-09-27)[2024-02-26]. https://www.cverc.org.cn/head/zhaiyao/news20220927-NPU2.htm.
[5]	BENCSÁTH B, PÉK G, BUTTYÁN L, et al. The Cousins of Stuxnet: Duqu, Flame, and Gauss[J]. Future Internet, 2012, 4(4): 971-1003.
[6]	China Information Technology Security Evaluation Center. Global Advanced Persistent Threat(APT) Situation Report[EB/OL]. (2023-04-25)[2024-02-26]. https://mp.weixin.qq.com/s/4MKJLbOiTBIbfVsLhV20zQ.
	中国信息安全测评中心. 全球高级持续性威胁(APT)态势报告[EB/OL]. (2023-04-25)[2024-02-26]. https://mp.weixin.qq.com/s/4MKJLbOiTBIbfVsLhV20zQ.
[7]	Qianxin. Global Advanced Persistent Threats(APT) 2023 Annual Report[EB/OL]. (2024-02-02)[2024-02-26]. https://www.qianxin.com/threat/reportdetail?report_id=310.
	奇安信. 全球高级持续性威胁(APT)2023年度报告[EB/OL]. (2024-02-02)[2024-02-26]. https://www.qianxin.com/threat/reportdetail?report_id=310.
[8]	360 Threat Intelligence Center. 2023 Global Advanced Persistent Threat Research Report[EB/OL]. (2024-01-30)[2024-02-26]. https://mp.weixin.qq.com/s/NupRstKjdGUHHxQK2bz_MQ.
	360威胁情报中心. 2023全球高级持续性威胁研究报告[EB/OL][EB/OL]. (2024-01-30)[2024-02-26]. https://mp.weixin.qq.com/s/NupRstKjdGUHHxQK2bz_MQ.
[9]	YAO Xingkun, ZHENG Xianwei. Full Packet Capture and Retrospective Forensics Combined with APT Modeling and Analysis Technology[J]. Journal of Fuzhou University (Natural Science Edition), 2023, 51(5): 639-646.
	姚星昆, 郑先伟. 全流量回溯结合APT建模分析技术[J]. 福州大学学报(自然科学版), 2023, 51(5):639-646.
[10]	LUO Hanxin, WANG Jinshuang, WU Wenchang. Detecting Advanced Persistent Threats through Provenance Graph in Node Level[J]. Cyber Security and Data Governance, 2022, 41(10): 49-55.
	罗汉新, 王金双, 伍文昌. 基于溯源图节点级别的APT检测[J]. 网络安全与数据治理, 2022, 41(10):49-55.
[11]	HUTCHINS E, CLOPPERT M, AMIN R. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains[J]. Leading Issues in Information Warfare & Security Research, 2011, 1(1): 113-125.
[12]	LI Shufu, LI Xue, WANG Chao. Analysis of Typical APT Attack Cases[J]. Netinfo Security, 2016(S1): 85-88.
	李术夫, 李薛, 王超. 典型APT攻击事件案例分析[J]. 信息网络安全, 2016(S1): 85-88.
[13]	Anquanke. 2046Lab Team APT Report: “Harvest Action”(DX-APT1)[EB/OL]. (2016-08-08)[2024-02-26]. https://www.anquanke.com/post/id/84353.
	安全客. 2046Lab团队APT报告:“丰收行动”(DX-APT1)[EB/OL]. (2016-08-08)[2024-02-26]. https://www.anquanke.com/post/id/84353.
[14]	LI Yuancheng, LUO Hao, WANG Xinyu, et al. Construction of Advanced Persistent Threat Attack Detection Model Based on Provenance Graph and Attention Mechanism[J]. Journal on Communications, 2024, 45(3): 117-130. doi: 10.11959/j.issn.1000-436x.2024039
	李元诚, 罗昊, 王欣煜, 等. 基于溯源图和注意力机制的APT攻击检测模型构建[J]. 通信学报, 2024, 45(3):117-130. doi: 10.11959/j.issn.1000-436x.2024039
[15]	LI Yuancheng, LIN Yukun. APT Attack Threat-Hunting Network Model Based on Hypergraph Transformer[J]. Journal on Communications, 2024, 45(2): 106-114. doi: 10.11959/j.issn.1000-436x.2024043

杀伤链	攻击步骤和技术
侦查	外部信息获取
	漏洞扫描
	口令破解
	端口扫描
武器化	载体选择（文件载体、流量报文）
	漏洞及利用方式选择
	渗透工具选择
	控制武器选择
	加花、加壳、特征混淆等免杀技术
投放	鱼叉攻击
	水坑攻击
	供应链攻击
	临近攻击
	USB摆渡攻击
利用	溢出漏洞利用
	Web漏洞利用
	逻辑漏洞组合利用
	各类提权技术
安装	僵尸、木马、蠕虫
	系统或设备后门
	RootKit植入
	WebShell后门
	特种木马
控制	C&C命令与控制
	隐蔽信道
	异常通信模式
收割	数据、设备摧毁
	数据窃取
	数据篡改
	持续监控